On Sat, Jun 13, 2015 at 6:37 PM, Alex Russell <slightlyoff@google.com>
wrote:
>
> That's why I'm focused on suspending/reloading. Suspending script
> execution keeps collision from happening. Hard reload after all are
> disconnected and storage is reset seems the only way to know a page is "
> clean ". Am i missing something?
>
This makes sense. The current neutering algorithm would take care of script
suspension (by setting "sandboxed scripts browsing context"
<https://html.spec.whatwg.org/multipage/browsers.html#sandboxed-scripts-browsing-context-flag>
and
other sandboxing flags), and adding a final "reload everything" step would
give us a better story with regard to being reactive to user input. Sounds
pretty reasonable to me.
My bigger worry is doing the suspension in an atomic way; "freeze the world
while we walk through everything" is appealing, but would have performance
impacts on other pages that might or might not be reasonable to mandate.
Walking through all the open browsing contexts, freezing them, and then
walking through any newly created browsing contexts (and then repeating?)
might be a way of mitigating the risk of super-persistent, self-healing XSS
that you're positing.
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)